Skip to main content

Frontend for pass (the standard unix password manager)

Project description

https://travis-ci.org/xolox/python-qpass.svg?branch=master https://coveralls.io/repos/xolox/python-qpass/badge.svg?branch=master

The qpass program is a simple command line frontend for pass, the standard unix password manager. It makes it very easy to quickly find and copy specific passwords in your ~/.password-store to the clipboard. The package is currently tested on cPython 2.6, 2.7, 3.4, 3.5, 3.6 and PyPy (2.7). It’s intended to work on Linux as well as macOS, although it has only been tested on Linux.

Installation

The qpass package is available on PyPI which means installation should be as simple as:

$ pip install qpass

There’s actually a multitude of ways to install Python packages (e.g. the per user site-packages directory, virtual environments or just installing system wide) and I have no intention of getting into that discussion here, so if this intimidates you then read up on your options before returning to these instructions ;-).

Usage

There are two ways to use the qpass package: As the command line program qpass and as a Python API. For details about the Python API please refer to the API documentation available on Read the Docs. The command line interface is described below.

Command line

Usage: qpass [OPTIONS] KEYWORD..

Search your password store for the given keywords or patterns and copy the password of the matching entry to the clipboard. When more than one entry matches you will be prompted to select the password to copy.

If you provide more than one KEYWORD all of the given keywords must match, in other words you’re performing an AND search instead of an OR search.

Instead of matching on keywords you can also enter just a few of the characters in the name of a password, as long as those characters are in the right order. Some examples to make this more concrete:

  • The pattern ‘pe/zbx’ will match the name ‘Personal/Zabbix’.

  • The pattern ‘ba/cc’ will match the name ‘Bank accounts/Creditcard’.

When a password is copied to the clipboard, any text after the first line will be shown on the terminal, to share any additional details about the password entry (for example the associated username or email address). The -q, --quiet option suppresses this text.

Supported options:

Option

Description

-e, --edit

Edit the matching entry instead of copying it to the clipboard.

-l, --list

List the matching entries on standard output.

-n, --no-clipboard

Don’t copy the password of the matching entry to the clipboard, instead show the password on the terminal (by default the password is copied to the clipboard but not shown on the terminal).

-p, --password-store=DIRECTORY

Search the password store in DIRECTORY. If this option isn’t given the password store is located using the $PASSWORD_STORE_DIR environment variable. If that environment variable isn’t set the directory ~/.password-store is used.

You can use the -p, --password-store option multiple times to search more than one password store at the same time. No distinction is made between passwords in different password stores, so the names of passwords need to be recognizable and unique.

-f, --filter=PATTERN

Don’t show lines in the additional details which match the case insensitive regular expression given by PATTERN. This can be used to avoid revealing sensitive details on the terminal. You can use this option more than once.

-x, --exclude=GLOB

Ignore passwords whose name matches the given GLOB filename pattern. This argument can be repeated to add multiple exclude patterns.

-v, --verbose

Increase logging verbosity (can be repeated).

-q, --quiet

Decrease logging verbosity (can be repeated).

-h, --help

Show this message and exit.

Why use pass?

In 2016 I was looking for a way to securely share passwords and other secrets between my laptops and smartphones. I’m not going to bore you with the full details of my quest to find the ultimate password manager but I can highlight a few points about pass that are important to me:

GPG encryption

GPG is a cornerstone of computer security and it’s open source. This means it receives quite a lot of peer review, which makes it easier for me to trust (versus do-it-yourself cryptography). Because pass uses GPG to implement its encryption my trust extends directly to pass. Of course it also helps that I had years of experience with GPG before I started using pass :-).

Git version control

The git integration in pass makes it very easy to keep your passwords under version control and synchronize the passwords between multiple systems. Git is a great version control system and while I sometimes get annoyed by the fact that git pull automatically merges, it’s actually the perfect default choice for a password store. As an added bonus you have a history of every change you ever made to your passwords.

SSH secure transport

I’ve been using SSH to access remote systems over secure connections for a very long time now so I’m quite comfortable setting up and properly securing SSH servers. In the case of pass I use SSH to synchronize my passwords between my laptops and smartphones via a central server that hosts the private git repository.

History

Shortly after starting to use pass I realized that I needed a quick and easy way to copy any given password to the clipboard, something smarter than the pass program.

I tried out several GUI frontends but to be honest each of them felt clumsy, I guess that through my work as a system administrator and programmer I’ve grown to prefer command line interfaces over graphical user interfaces :-). For a few weeks I tried upass (a somewhat fancy command line interface) but the lack of simple things like case insensitive search made me stop using it.

Out of frustration I hacked together a simple Python script that would perform case insensitive substring searches on my passwords, copying the password to the clipboard when there was exactly one match. I called the Python script qpass, thinking that it was similar in purpose to upass but much quicker for me to use, so q (for quick) instead of u.

After using that Python script for a while I noticed that case insensitive substring searching still forced me to specify long and detailed patterns in order to get a unique match. Experimenting with other ways to match unique passwords I came up with the idea of performing a “fuzzy match” against the pathname of the password (including the directory components). The fuzzy searching where a pattern like e/z matches Personal/Zabbix has since become my primary way of interacting with my password stores.

Support for multiple password stores

One great aspect of pass is the git integration that makes it easy to share a password store between several devices [1] or people [2]. This use case makes it much more likely that you’ll end up using multiple password stores, which is something that pass doesn’t specifically make easy.

This is why I added support for querying multiple password stores to qpass in version 2.0. For now I’ve kept things simple which means no distinction is made between passwords in different password stores, so the names of passwords need to be recognizable and unique.

About the name

As explained above I initially wrote and named qpass with no intention of ever publishing it. However since then my team at work has started using pass to manage a shared pasword store and ever since we started doing that I’ve missed the ability to query that password store using qpass :-).

Publishing qpass as an open source project with a proper Python package available on PyPI provides a nice way to share qpass with my team and it also forces me to maintain proper documentation and an automated test suite.

While considering whether to publish qpass I found that there’s an existing password manager out there called QPass. I decided not to rename my project for the following reasons:

  • While both projects are password managers, they are intended for very different audiences (I’m expecting my end users to be power users that are most likely system administrators and/or programmers).

  • I consider the name of the executable of a GUI program to be a lot less relevant than the name of the executable of a command line program. This is because the GUI will most likely be started via an application launcher, which means the executable doesn’t even need to be on the $PATH.

  • Let’s be honest, pass is already for power users only, so my qpass frontend is most likely not going to see a lot of users ;-).

Contact

The latest version of qpass is available on PyPI and GitHub. The documentation is hosted on Read the Docs and includes a changelog. For bug reports please create an issue on GitHub. If you have questions, suggestions, etc. feel free to send me an e-mail at peter@peterodding.com.

License

This software is licensed under the MIT license.

© 2018 Peter Odding.

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

qpass-2.3.tar.gz (25.8 kB view details)

Uploaded Source

Built Distribution

qpass-2.3-py2.py3-none-any.whl (17.8 kB view details)

Uploaded Python 2 Python 3

File details

Details for the file qpass-2.3.tar.gz.

File metadata

  • Download URL: qpass-2.3.tar.gz
  • Upload date:
  • Size: 25.8 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/1.11.0 pkginfo/1.4.2 requests/2.19.1 setuptools/40.6.2 requests-toolbelt/0.8.0 tqdm/4.23.4 CPython/2.7.15rc1

File hashes

Hashes for qpass-2.3.tar.gz
Algorithm Hash digest
SHA256 dfdd544a75a9d252abccee9b15abbec77a4a2684b50e1dc2c098fdd7d7cb374f
MD5 1d876d6c853bba877510714ffe484d07
BLAKE2b-256 fc22d88a4efdf1ca18edd04a86eb473e1e8e425c5c204845ca50fc43a3778733

See more details on using hashes here.

File details

Details for the file qpass-2.3-py2.py3-none-any.whl.

File metadata

  • Download URL: qpass-2.3-py2.py3-none-any.whl
  • Upload date:
  • Size: 17.8 kB
  • Tags: Python 2, Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/1.11.0 pkginfo/1.4.2 requests/2.19.1 setuptools/40.6.2 requests-toolbelt/0.8.0 tqdm/4.23.4 CPython/2.7.15rc1

File hashes

Hashes for qpass-2.3-py2.py3-none-any.whl
Algorithm Hash digest
SHA256 fa16246267c645d0e9e2b08838f8623c6f5b3ab0a96c90bba8d9b8b1a16e014f
MD5 952a70a942053447ecc8a381ac59fea2
BLAKE2b-256 9221875c96f654361693749517a3901e667b0f6c9450057be5a07e3ab2ecc543

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page